Last year I wrote about the DOJ updated guidance (here), on June 2, 2020, unexpectedly, the DOJ made updates to its guidance. This update supersedes last year's guidance. The guidance is mainly designed to assist prosecutors "in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution". As a community of compliance professionals, we also follow the guidance closely to support our clients build their compliance programs.
Usually DOJ evaluates the compliance programs "at the time of the offense and at the time of the charging decision or resolution". With that in mind, it is 1. important to have a compliance program 2. to have an effective compliance program and 3. tailored to your company's risk profile and not copy and paste from some other company program.
Three are the questions prosecutors ask when evaluating the program:
1. “Is the corporation’s compliance program well designed?”
2. “Is the program being applied earnestly and in good faith?” Is the program adequately resourced and empowered to function effectively? (this differs from the previous language - see below for further comments) (emphasis added)
3. “Does the corporation’s compliance program work” in practice?
(JM 9 - 28.800)
Let's cut to the chase and on to the updates.
First, data analytics. In investigations we attorneys and prosecutors we look at data, however, in the compliance context this is a day to day performance of work where needs to have the technology to have access to data. The new guidance specifically posits the question " Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/ or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?"
Practically, what does this mean for a company and its compliance officer? As a business owner you will work closely with compliance to instruct the people in your organization to give compliance personnel the tools and access it needs to do its job. In a small company setting this is manageable, nevertheless, it needs to be communicated because IT needs to understand what Compliance needs, Sales teams need to understand that Compliance needs to do its job and needs collaboration from the team, accounting needs to understand that Compliance will need to access data for due diligence purposes and Compliance needs to educate and train on its role and the needs to do its job well. So, it falls on you as a business owner of your company to lay the ground-work so Compliance gets the access it needs to data and has the technological tools it needs to access that data.
Second, evolving updates. The expectation is to assess risk and review policies sufficiently based on its business to prevent misconduct. On this subject the guidance adds the following question: "Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/ or that of other companies facing similar risks?" I like this question because as an attorney I look at cases and decisions made in enforcement actions to provide the right guidance the discussion being something of the sort " in such and such company this is what happened and this what the agency or the DOJ said in that case. Do you have a situation where this may happen so it can be addressed now based on this decision?" However, this comes from an understanding of the business itself and monitoring risk. Then, from a practical perspective if you as a business owner find that in your business risk assessment has been a dormant activity, perhaps now it is the time to take action, given this guidance.
Third, process not only to design and implement new policies and procedures - this remains the same - but also a process to update existing policies and procedures. Tracking and accessibility of the policies and procedures the company designs. To quote: "[h]ave the policies and procedures been published is a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?"
Fourth, for training employees the guidance asks whether employers to have a process in place for employees to ask questions about training received. Companies will need to address employees that fail all or portion of the testing. Do something about it.
Fifth, there is an update related to mergers and acquisitions. Companies conduct their due diligence before acquiring or merging with companies, however, the guidance states that "a compliance program should include [...] a process for timely and orderly integration of the acquired entity into the existing compliance program structures and internal controls." As always evaluate in a pre - merger and acquisition due diligence the cost of any anti-corruption and misconduct of the target company. In that setting, however, where a company merges or acquires an entity the DOJ will evaluate whether "[the company was] able to complete pre-acquisition due diligence and if not, why not?" Last on this point, the DOJ will inquire whether the company has a process to "[conduct] post - acquisition audits at newly acquired entities".
These are some of the main changes to the previous guidance. If you have questions about all the details of the update contact me.
Attorney Aida Dismondy advises and counsels small business owners who do business with the Department of Defense and internationally on matters related to contracts, corporate governance, international trade compliance, FAR/DFARS compliance, anti-corruption, and government investigations. You can reach attorney Dismondy at 734 - 746 - 5006 or via Skype at aida.dismondy or Zoom.